1 line
2.7 KiB
Plaintext
1 line
2.7 KiB
Plaintext
SELECT server_ip, any(server_geolocation) AS location, any(server_asn) AS asn, groupUniqArray(server_port) AS ports, groupUniqArray(decoded_as) AS l7_protocols, groupUniqArray((server_port, decoded_as)) AS servers, groupUniqArray(server_domain) AS domains, groupUniqArray(http_host) AS hosts, groupUniqArray(ssl_sni) AS snis, count(*) AS session_num, countDistinct(client_ip) AS cip_num, round(sum(duration_ms) / session_num, 2) AS avg_duration FROM tsg_galaxy_v3.session_record WHERE (recv_time > toDateTime('2024-06-19 15:00:00', 'Asia/Yangon')) AND (recv_time <= toDateTime('2024-06-19 16:00:00', 'Asia/Yangon')) AND (server_ip GLOBAL IN (SELECT DISTINCT server_ip FROM (SELECT DISTINCT server_ip AS server_ip FROM tsg_galaxy_v3.session_record WHERE (recv_time > toDateTime('2024-06-19 09:00:00', 'Asia/Yangon')) AND (recv_time <= toDateTime('2024-06-19 08:00:00', 'Asia/Yangon')) AND (server_port NOT IN (443, 80, 53, 445)) AND ((server_port IN (21, 23, 554)) OR ((server_port < 1000) AND (decoded_as = 'BASE'))) AND (server_asn NOT IN ('20940', '12222', '16625', '16702', '17204', '18680', '18717', '20189', '21342', '21357', '21399', '22207', '22452', '23454', '23455', '23903', '24319', '26008', '30675', '31107', '31108', '31109', '31110', '31377', '33047', '33905', '34164', '34850', '35204', '35993', '35994', '36183', '39836', '43639', '55409', '55770', '133103', '393560', '54113', '13335', '395747', '202623') or server_asn is null) AND ((server_geolocation NOT LIKE '%China%') AND (server_geolocation NOT LIKE '%Myanmar%')) AND ((server_ip NOT LIKE '10.%') AND (server_ip NOT LIKE '192.168.%')) UNION ALL SELECT DISTINCT server_ip AS server_ip FROM tsg_galaxy_v3.session_record WHERE (recv_time > toDateTime('2024-06-19 15:00:00', 'Asia/Yangon')) AND (recv_time <= toDateTime('2024-06-19 16:00:00', 'Asia/Yangon')) AND (server_port = 22) AND (decoded_as = 'SSH') AND (server_asn IN ('14061', '39690', '62567', '133165', '135340', '200130', '201229', '202018', '202109', '205301', '393406', '394362', '48337', '63949', '15418', '8560', '51862', '51430', '29447', '12876', '47172', '209829', '142592', '13213', '9009', '42973', '33970', '16247', '54856', '46562', '40426', '36202', '27494', '22384', '20093', '14141', '6762')) AND ((server_geolocation NOT LIKE '%China%') AND (server_geolocation NOT LIKE '%Myanmar%')) AND ((server_ip NOT LIKE '10.%') AND (server_ip NOT LIKE '192.168.%')) UNION ALL SELECT DISTINCT server_ip AS server_ip FROM tsg_galaxy_v3.session_record WHERE (recv_time > toDateTime('2024-06-19 15:00:00', 'Asia/Yangon')) AND (recv_time <= toDateTime('2024-06-19 16:00:00', 'Asia/Yangon')) AND (server_asn IN ('63949', '6762', '31898', '9080', '60068')) ) )) GROUP BY server_ip FORMAT CSVWithNames |